On Fri, Nov 18, 2022 at 09:08:53AM +0000, Hannes Tschofenig wrote: > > If you talk about "nasty combinatorial explosion" then you need to > explain how "nasty" it is, i.e. what the potential number of > combinations we could have. In practice, none of these algorithm > combinations have been bad in the past since most people are > interested only in a small number of combination rather than anything > that is theoretically possible (see TLS ciphersuites).
Currently, there are 45 (60) possible combinations. And that increases rapidly if HPKE adds anything new: A reasonable set of additions (CP-*, X25519+Kyber768, plus SHA-3 KDF) would push that to 108 (144). The numbers in parenthesis are if exporters are also considered (needed for JOSE, but not COSE). Yes, many of those combinations make little sense, but the problems are to pick those combinations that make sense (some of which are not obvious). Each added HPKE algorithm would be fair amount of work for the WG. And secondarily, ciphersuites are difficult to configure. Currently, I count 12 (17) combinations that I think make sense (but I might be missing some). A reasonable set of additions would bring that to 22 (31). And the main problem with TLS ciphersuites is that it is _not_ "everything possible". There are gaps, either due to some combination just not having a ciphersuite, or such ciphersuite existing, but client not advertising it. And handling that is very difficult, with most implementations being buggy. And on TLS, there is TLS ECH, which uses HPKE in way somewhat similar to COSE-HPKE. It does reuse the HPKE registeries instead of defining its own codepoints (however, it does combine KDF with AEAD, which I do not think is a good idea, KDF should combine with KEM if it is combined with anything). -Ilari _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
